General
-
Target
tmp
-
Size
668KB
-
Sample
220813-rbzd8saebj
-
MD5
1796a3be7af222b0e1ee5a5a7c08673f
-
SHA1
ace2a70a033797be2f81c275e1918f1a84d90b36
-
SHA256
2abcdb606044f4db592baa3f9c808bf4fcab2146c49d83ba45a4ccbb20bc8354
-
SHA512
6b781cdc6426792056a6390b765dbfdc121af5becc83eeae77732977346ad25124d11edda2452e91e72f6d7a27699837c3975e4c4fefaa095c68ac5920998f7a
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
Malware Config
Extracted
netwire
212.193.30.230:3363
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password@2
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
tmp
-
Size
668KB
-
MD5
1796a3be7af222b0e1ee5a5a7c08673f
-
SHA1
ace2a70a033797be2f81c275e1918f1a84d90b36
-
SHA256
2abcdb606044f4db592baa3f9c808bf4fcab2146c49d83ba45a4ccbb20bc8354
-
SHA512
6b781cdc6426792056a6390b765dbfdc121af5becc83eeae77732977346ad25124d11edda2452e91e72f6d7a27699837c3975e4c4fefaa095c68ac5920998f7a
-
NetWire RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-